Teenager uncovers route to free Web surfing on T-Mobile network

Enlarge / Free, unfiltered Web browsing—without a data plan.Jacob Ajit
reader comments 54
Share this story
Jacob Ajit, a 17-year-old student at the Thomas Jefferson High School for Science and Technology in Fairfax, Virginia, was bored and screwing around with a smartphone that had service and a SIM for T-Mobile’s prepaid phone service. He soon discovered it was possible to still gain access to the Internet without paying for an account; all he had to do was route everything through a proxy application running on a server with “/speedtest” in its Web address.
The T-Mobile prepaid SIM makes it possible to pay for new service from the phone itself.

This requires the phone to be able to connect to T-Mobile’s network to do so, essentially blocking access to the rest of the Internet through a capture portal until the account is activated.

But Ajit found that the Speedtest mobile app worked even when the phone’s data plan hadn’t been activated—likely as a marketing tool to demonstrate the speed of T-Mobile’s 4G network.
By capturing some of the data sent to Speedtest when connected to a shared network connection through his Mac (he used mitmproxy to do so), Ajit discovered the graphics used in the Speedtest app to measure download speed were hosted on a number of different sites.

The only similarity in them was their Web addresses all included “/speedtest” in the URL. He manually entered the URLs into a browser on the phone and was able to reach them despite the T-Mobile block.
Ajit set up media at Web addresses with /speedtest in their URL.

The browser was able to reach them.

Taking his finding to its conclusion, he set up a simple Web proxy on a remote server using Glype, again using the /speedtest directory in his URL… and it worked.

Ajit had full access to the Web without activating the phone.
Ajit has since taken down the proxy.

Ars attempted to contact T-Mobile for comment on Ajit’s findings, which he said he has reported to the company.

CATEGORIES

Cyber Parse was created to provide knowledge to help everyone understand and deal with the ever increasing threats we all face by Cyber Crime (Malware, Social Engineering, Phishing and hacking).
Our purpose is to provide the right information to our readers by breaking down and communicating knowledge relating to Cyber Crime, Cyber Security, Information Security and Computer Security, then using Risk Management practices to help translate the technical aspects of the Risks, Threats, Vulnerabilities and controls to reduce the risk into business language.